[Lvfs-announce] LVFS and the new Jcat files

Richard Hughes hughsient at gmail.com
Tue Mar 3 11:02:59 UTC 2020


Hi all,

This is just for your information, as I know some vendors get worried
when extra unknown files get added to the cabinet archives. The
important thing to take away from this email is that no action is
required and that they’re harmless.

The LVFS is now adding an additional Jcat file in each signed archive.
A Jcat file can be used to store GPG, PKCS-7 and SHA-256 checksums for
multiple files. This allows us to sign a firmware or metadata multiple
times (perhaps by the ODM, OEM and also then the LVFS) which further
decentralizes the trust model of the LVFS. At the moment we are just
using the Jcat file to store the same detached GPG and PKCS-7
signatures we already generate. Nothing is actually parsing the new
.jcat file in the archive and the .asc and .p7b detached signatures
are still generated as before.

If however you are interested in signing the firmware with a
vendor-specific detached key before it gets uploaded to the LVFS
please let me know. The jcat-tool command line tool isn’t very fully
featured yet, but this is the kind of feature we’ll be working
towards. They’ll be no requirement for vendors to do this, and the
LVFS will of course continue to sign your firmware as before.

More information about the Jcat specification can be found here:
https://blogs.gnome.org/hughsie/2020/02/28/introducing-jcat/

Richard


More information about the LVFS-announce mailing list